Reamer
commented
8 months ago The two rules should be different. One with the marking that it is a security hotspot rule.
Closed NIGCH closed 7 months ago
Reamer
commented
8 months ago The two rules should be different. One with the marking that it is a security hotspot rule.
NIGCH
commented
7 months ago @Reamer Apologies for the delay. Is it just the name that needs to change, i.e. "Using Components with Known Vulnerabilities Security Hotspot"?
Reamer
commented
7 months ago I have finally found time to test the latest version of the SonarQube. I noticed the following regarding the security hotspot.
Security hotspots appear to be deprecated.
This is why the type was also removed here.
https://github.com/dependency-check/dependency-check-sonar-plugin/pull/895/files#diff-5965cba5b1809185b468ca61b3e32a8c4c564dcaad9262ea6ae8461680904250L45
Reamer
commented
7 months ago I think I have found a solution. What do you think? Does it work for you?
diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java
index 436f3c5..f311a3e 100644
--- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java
+++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java
@@ -21,9 +21,9 @@ package org.sonar.dependencycheck.rule;
import javax.annotation.ParametersAreNonnullByDefault;
+import org.sonar.api.issue.impact.Severity;
import org.sonar.api.issue.impact.SoftwareQuality;
import org.sonar.api.rule.RuleStatus;
-import org.sonar.api.issue.impact.Severity;
import org.sonar.api.server.rule.RulesDefinition;
import org.sonar.dependencycheck.base.DependencyCheckConstants;
@@ -40,6 +40,7 @@ public class KnownCveRuleDefinition implements RulesDefinition {
NewRule rule = repo.createRule(DependencyCheckConstants.RULE_KEY);
fillOWASPRule(rule);
+ rule.addDeprecatedRuleKey(DependencyCheckConstants.REPOSITORY_KEY, DependencyCheckConstants.RULE_KEY_WITH_SECURITY_HOTSPOT);
repo.done();
}
diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/NeutralProfile.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/NeutralProfile.java
index 99ac009..d57e849 100644
--- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/NeutralProfile.java
+++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/NeutralProfile.java
@@ -28,8 +28,6 @@ public class NeutralProfile implements BuiltInQualityProfilesDefinition {
public void define(Context context) {
NewBuiltInQualityProfile dependencyCheckWay = context.createBuiltInQualityProfile("Neutral", DependencyCheckConstants.LANGUAGE_KEY);
dependencyCheckWay.activateRule(DependencyCheckConstants.REPOSITORY_KEY, DependencyCheckConstants.RULE_KEY);
- dependencyCheckWay.activateRule(DependencyCheckConstants.REPOSITORY_KEY,
- DependencyCheckConstants.RULE_KEY_WITH_SECURITY_HOTSPOT);
dependencyCheckWay.done();
}
}I see, thank you for this. The changes work for me in so far as I can now start SonarQube again with the plugin installed. I have still managed to produce security hotspots on the dashboard's overview tab but trying to view them is giving me an error. I'll try to come back to this next week.
NIGCH
commented
7 months ago Whatever issue I'd hit on Friday I can't now recreate using 10.2.1 or 10.3.0. I still have security hotspots but I can view them without any issues. I hope you don't mind, I've pushed your suggested changes.
Related to https://github.com/dependency-check/dependency-check-sonar-plugin/issues/870 SonarQube 10.2 requires the security hotspot rule to be defined, otherwise it throws an error: